Project 10: Hacking a PPTP VPN with Asleap (25 pts.)

What You Need

Your Kali machine must have VMware Tools installed. The Kali images I handed out already have the tools installed, but if yours doesn't, see instructions
here.

Purpose

PPTP is an old VPN protocol, known to be insecure.
In its simplest form, PPTP uses MS-CHAPv2 to transmit
password information over the network.

Moxie Marlinspike has set up a cloud service
that performs a complete brute-force attack
to recover any password sent via MS-CHAPv2 for
$200. However, we don't have $200 to spend, so
we'll settle for a weaker attack using a
dictionary of the top 10,000 passwords.

The point is clear--PPTP with MS-CHAPv2 is
unsafe to use. Even an attacker with very modest
means can steal passwords from it.

The new file Words.dat is somewhat smaller
than words.dat, because it excludes passwords
that begin with a numeral,
as shown below.

Execute these commands to put all the
passwords in a file named allwords.dat,
and examine the files:

cat words.dat Words.dat >> allwords.dat

ls -l

The new file allwords.dat
has a length equal to the sum of the
two files "words.dat" and "Words.dat",
as shown below.

Adjusting Kali's Networking

In Virtual Machine Settings,
configure the Kali machine to use
the private Host-only network,
as shown below.

In Kali, in a Terminal window,
execute these commands to assign
an appropriate IP address to eth0
and test the networking:

ifconfig eth0 10.0.0.3/8

ping 10.0.0.1

You should see replies, as shown
below. If you don't, make sure
the Windows 2008 Server's
firewall is off.

Press Ctrl+C to stop the pings.

Enabling Packet Forwarding on Kali

In Kali, in a Terminal window,
execute this command to enable
packet forwarding. If you don't do this,
the man-in-the-middle attack below
will prevent all networking and become
a denial-of-service attack instead:

echo 1 > /proc/sys/net/ipv4/ip_forward

Start ARP Poisoning

In Kali, in a Terminal window,
execute this command to send
bogus ARP replies to the Windows
7 target, redirecting all traffic
to the VPN server to the Kali machine: